From: Solar Designer <solar@openwall.com>
To: Sergey Vlasov <vsu@altlinux.ru>
Cc: Linus Torvalds <torvalds@osdl.org>,
vendor-sec@lst.de, linux-kernel@vger.kernel.org,
security@linux.kernel.org
Subject: PID reuse safety for userspace apps (Re: [linux-usb-devel] Re: [Security] [vendor-sec] [BUG/PATCH/RFC] Oops while completing async USB via usbdevio)
Date: Tue, 27 Sep 2005 21:20:48 +0400 [thread overview]
Message-ID: <20050927172048.GA3423@openwall.com> (raw)
In-Reply-To: <20050927165206.GB20466@master.mivlgu.local>
[ I am changing the topic somewhat, so I've trimmed the CC list and
adjusted the Subject. ]
On Tue, Sep 27, 2005 at 08:52:06PM +0400, Sergey Vlasov wrote:
> (Why they did not make a kind of "file descriptor" for processes...)
Actually, I made a proposal back in 1999 which I think would let many
userspace apps deal with PID reuse nicely.
The idea is to introduce a kernel call (it can be a prctl(2) setting,
although my pseudo-code "defines" an entire syscall for simplicity)
which would "lock" the invoking process' view of a given PID (while
letting the PID get reused - so there's no added risk of DoS). The
original posting and subsequent thread can be seen here:
http://lists.nas.nasa.gov/archives/ext/linux-security-audit/1999/08/msg00108.html
The proposal itself (unedited since 1999, but the idea holds) is as
follows:
in task_struct:
int locked_pid;
int sys_lockpid(int pid)
{
int old;
old = current->locked_pid;
current->locked_pid = pid;
return old;
}
on kill(2) and ptrace(2):
if (pid > 0 && -pid == current->locked_pid)
return -ESRCH;
on execve(2):
current->locked_pid = 0;
on fork(2), in get_pid(), where last_pid is the PID being allocated:
for_each_task (p)
if (p->locked_pid == last_pid) p->locked_pid = -lastpid;
in applications, such as killall(1):
do {
lockpid(target);
if (!need_to_kill(target)) break;
if (kill(target, SIGKILL) == 0) break;
} while (errno == ESRCH);
lockpid(0);
Performance can be improved by maintaining a global locked_pid_count,
so that fork(2) could skip the loop if count is zero. Implementing
this would require an extra spinlock (the pseudo-code above will need
some anyway, if actually implemented).
It is possible to clear locked_pid in kill(2) and ptrace(2), but I'm
not sure whether that's a good idea, as we could have these syscalls
in signal handlers that are not aware of the new feature.
--
Alexander
next prev parent reply other threads:[~2005-09-27 17:21 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-09-25 15:13 [BUG/PATCH/RFC] Oops while completing async USB via usbdevio Harald Welte
2005-09-27 8:04 ` [vendor-sec] " Greg KH
2005-09-27 9:13 ` Greg KH
[not found] ` <20050927110319.GD1980@piware.de>
2005-09-27 12:22 ` [vendor-sec] " Greg KH
2005-09-27 12:48 ` [vendor-sec] " Christoph Hellwig
2005-09-27 12:57 ` Greg KH
2005-09-27 12:59 ` Christoph Hellwig
2005-09-27 13:09 ` Greg KH
2005-09-27 15:27 ` David Brownell
2005-09-27 14:53 ` [Security] " Linus Torvalds
2005-09-27 16:00 ` [linux-usb-devel] " Sergey Vlasov
2005-09-27 16:09 ` Linus Torvalds
2005-09-27 16:52 ` Sergey Vlasov
2005-09-27 17:02 ` Linus Torvalds
2005-09-30 10:47 ` Harald Welte
2005-09-30 14:56 ` Linus Torvalds
2005-09-30 18:44 ` Chris Wright
2005-09-30 19:27 ` Linus Torvalds
2005-09-30 20:38 ` Chris Wright
2005-09-30 22:08 ` Harald Welte
2005-09-30 22:16 ` Linus Torvalds
2005-10-10 17:44 ` Harald Welte
2005-10-10 18:07 ` Chris Wright
2005-10-11 9:45 ` Harald Welte
2005-10-11 23:10 ` [vendor-sec] " Greg KH
2005-10-11 23:44 ` Linus Torvalds
2005-10-12 7:24 ` Harald Welte
2005-10-13 5:51 ` Horms
2005-10-11 13:57 ` Bernd Petrovitsch
2005-10-10 18:19 ` Linus Torvalds
2005-10-10 22:47 ` Chris Wright
2005-10-10 20:03 ` [linux-usb-devel] " Alan Stern
2005-10-11 8:28 ` Harald Welte
2005-10-11 17:37 ` Paul Jackson
2005-10-11 17:58 ` linux-os (Dick Johnson)
2005-10-11 19:13 ` Alan Stern
2005-10-11 20:02 ` [Security] " Alan Cox
2005-09-27 17:20 ` Solar Designer [this message]
2005-09-27 20:34 ` PID reuse safety for userspace apps (Re: [linux-usb-devel] Re: [Security] [vendor-sec] [BUG/PATCH/RFC] Oops while completing async USB via usbdevio) Alan Cox
2005-09-27 20:42 ` Linus Torvalds
2005-09-27 21:16 ` Solar Designer
2005-09-27 21:03 ` Solar Designer
2005-09-27 16:58 ` [linux-usb-devel] Re: [Security] [vendor-sec] [BUG/PATCH/RFC] Oops while completing async USB via usbdevio Alan Cox
2005-09-27 16:59 ` Linus Torvalds
2005-09-27 20:35 ` Alan Cox
2005-10-13 23:00 ` Pete Zaitcev
2005-10-13 23:16 ` Linus Torvalds
2005-10-13 23:56 ` Pete Zaitcev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050927172048.GA3423@openwall.com \
--to=solar@openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=security@linux.kernel.org \
--cc=torvalds@osdl.org \
--cc=vendor-sec@lst.de \
--cc=vsu@altlinux.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.